Have a laptop with a fingerprint reader and use that biometic security? Most popular laptops shipped with a UPEK fingerprint reader. If yours did, then sadly your password is not secure. It's easy to crack and, in fact, destroys 'the entire security model of Windows accounts.'

From

Thank you

Sorry

If your password management system is to use your "fingerprint as your master password," and if your laptop uses UPEK software, then you'll not be happy to know your Windows password is not secure and instead is easily crackable. In fact, "UPEK's implementation is nothing but a big, glowing security hole compromising (and effectively destroying) the entire security model of Windows accounts." UPEK fingerprint reader and software came installed on laptops manufactured from any of these 16 companies: Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony and Toshiba.

On the Elcomsoft blog about "advanced password cracking insight," Olga Koksharova had bad news for people who thought they were more secure by using biometrics, a UPEK fingerprint reader, instead of relying on a password. UPEK stores Windows account passwords in the registry "almost in plain text, barely scrambled but not encrypted." It's not just a few that are susceptible to hacking. "All laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite are susceptible. If you ever registered your fingerprints with UPEK Protector Suite for accelerated Windows login and typed your account password there, you are at risk."

We could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable "automatic login", which is discouraged by Microsoft." In fact, Windows warns users that automatic login is a security risk before allowing activation of the setting.

So if you subscribed to the theory "password management at your fingertips," believing that biometrics increased your security via using UPEK Protector Suite, and also encrypted files or folders with Windows Encrypting File System (EFS), then Elcomsoft has even worse news for you.

UPEK Protector Suite software shipped with laptops equipped with UPEK fingerprint readers until 2010 when the company was acquired by AuthenTec and switched to TrueSuite software. Elcomsoft warned, however, the most "existing laptop users will simply stay with the old flawed software, not feeling the need to upgrade." Furthermore, "if you care about security of your Windows account, launch UPEK Protector Suite and disable the Windows logon feature. That should clear the stored password for your account. Note that you should clear all stored account passwords to protect all user accounts."

Ars Technica's Dan Goodin reported that AuthenTec is allegedly "aware of the weakeness" in the UPEK Protector Suite. Yet AuthenTec has neither recalled the software, nor issued a security warning—despite the fact that the digital privacy of millions of people is now at risk.

According to Sophos Naked Security, "Brent Dietz, the Director of Corporate Communications at Authentec, said that his company can’t find any evidence to support those [Elcomsoft] claims." Dietz added that "ProtectorSuite uses AES encryption to protect stored passwords and that the company would never leave passwords in an unencrypted state in its software – past or present. Should the company find evidence to support Elcomsoft's claims, it will push a patch to customers immediately."